WordNet: Execution of arbitrary code
Multiple vulnerabilities were found in WordNet, possibly allowing for the
execution of arbitrary code.
wordnet2008-10-072008-10-07211491local, remote3.0-r23.0-r2

WordNet is a large lexical database of English.

Jukka Ruohonen initially reported a boundary error within the
searchwn() function in src/wn.c. A thorough investigation by the oCERT
team revealed several other vulnerabilities in WordNet:

Jukka Ruohonen and Rob Holland (oCERT) reported multiple boundary
errors within the searchwn() function in src/wn.c, the wngrep()
function in lib/search.c, the morphstr() and morphword() functions in
lib/morph.c, and the getindex() in lib/search.c, which lead to
stack-based buffer overflows.

In case the application is accessible e.g. via a web server,
a remote attacker could pass overly long strings as arguments to the
"wm" binary, possibly leading to the execution of arbitrary code.

A local attacker could exploit the second vulnerability via
specially crafted "WNSEARCHDIR" or "WNHOME" environment variables,
possibly leading to the execution of arbitrary code with escalated
privileges.

A local attacker could exploit the third and
fourth vulnerability by making the application use specially crafted
data files, possibly leading to the execution of arbitrary code.